They’re Not Breaking In. They’re Logging In. And They’re Doing It 4x Faster.
There is a sentence buried in Palo Alto Networks’ latest incident response report that should change how every organization thinks about cybersecurity. Sam Rubin, senior vice president at Unit 42, put it plainly: once an attacker has legitimate credentials, they are not breaking in. They are logging in. When an adversary blends into normal traffic, detection becomes incredibly challenging for even mature defenders.
That statement reframes the entire threat landscape. The attacker does not need to exploit a zero-day. They do not need to bypass a firewall. They do not need to deploy exotic malware. They need a stolen credential. And with that credential, they become indistinguishable from a legitimate user — moving through systems, accessing data, and exfiltrating it before security teams know anything has happened.
The numbers behind this shift are stark. Palo Alto Networks analyzed more than 750 incident response cases across the globe and found that threat groups are now moving four times faster than just a year ago. AI is accelerating every phase of the attack lifecycle: reconnaissance, phishing and scripting, and operational execution. In the most efficient attacks, data exfiltration occurs just 72 minutes after initial access. Stolen identities and tokens show up in 90% of incident response cases.
This is not a report about emerging threats on the horizon. This is a report about what is already happening — documented across hundreds of real-world incidents — and it reveals a fundamental mismatch between how fast attackers operate and how fast most organizations can detect and respond.
5 Key Takeaways
- Attackers Are Moving 4x Faster Than a Year Ago — and the Most Efficient Exfiltrate in 72 Minutes. Palo Alto Networks’ analysis of more than 750 incident response cases found that threat groups are now operating four times faster than just a year ago. AI is accelerating every phase: reconnaissance, phishing and scripting, and operational execution. In the most efficient attacks, data exfiltration occurs just 72 minutes after initial access. That is not a theoretical benchmark. That is the operational reality security teams must now defend against.
- Identity Is the Primary Attack Vector — Showing Up in 90% of Incident Response Cases. Stolen identities and tokens appeared in 90% of the incident response cases Unit 42 analyzed. Attackers are not breaking in. They are logging in. Once an adversary has legitimate credentials, they blend into normal traffic, making detection extraordinarily difficult even for mature security operations. The perimeter is no longer the point of entry. The credential is.
- Attackers Are Targeting Vulnerabilities Within 15 Minutes of CVE Disclosure. The window between vulnerability disclosure and active exploitation has collapsed. Attackers are now targeting known software flaws within 15 minutes of a CVE being published. AI enables simultaneous reconnaissance and initial access attempts against hundreds of targets at once. Organizations that rely on manual patching cycles measured in days or weeks are operating on a timeline that no longer exists.
- Trusted Integrations Are the New Supply Chain Attack Surface. Nearly one-quarter of incidents over the past year involved attackers abusing trusted integrations to launch attacks against SaaS applications. These integrations provide legitimate, privileged access that is inherently difficult to defend because the connection itself is authorized. Palo Alto Networks’ Unit 42 describes this as a structural shift in supply chain risk — moving beyond vulnerable code to the abuse of trusted links between systems.
- The 42-Day Detection Average Is Catastrophically Mismatched Against 72-Minute Exfiltration. Industry average dwell time remains approximately 42 days. Attackers are exfiltrating data in 72 minutes. That mismatch is not incremental. It is categorical. By the time traditional detection and response processes identify a breach, attackers have completed their mission more than 800 times over. Real-time data access monitoring and automated policy enforcement are no longer aspirational. They are the minimum viable defense against AI-accelerated threats.
The 72-Minute Window Has Broken the Detection Model
The industry average dwell time — the period between initial compromise and detection — remains approximately 42 days. Attackers are now exfiltrating data in 72 minutes. That is not a gap. It is a chasm. By the time traditional security operations identify that a breach has occurred, the attacker has been gone for weeks. The data is already exfiltrated. The damage is already done.
The four-times acceleration is driven by AI across the attack lifecycle. AI-powered reconnaissance identifies targets, maps data repositories, and discovers vulnerabilities at machine speed. AI-generated phishing campaigns craft convincing social engineering at scale, achieving the high click-through rates that human-crafted campaigns cannot match. AI-assisted scripting automates exploitation and persistence. AI-driven operational execution coordinates simultaneous attacks against multiple targets.
The 72-minute exfiltration window means that any detection mechanism operating on human timescales — periodic log reviews, manual alert triage, weekly threat hunts — is structurally incapable of catching the attack before it completes. By the time an analyst reviews the alert, correlates it with other signals, investigates the scope, and escalates to incident response, the exfiltration happened hours or days ago. The detection model built for a world where attackers dwelled for weeks or months is catastrophically mismatched against attackers who complete their mission in just over an hour.
Real-time data access monitoring is no longer an aspiration. It is a requirement. Organizations need the ability to detect anomalous data access patterns within seconds, not hours. They need automated policy enforcement that blocks suspicious activity without waiting for human analysis. They need behavioral baselines for every user and every AI agent that can identify deviations the moment they occur. The 72-minute window does not leave room for manual processes.
You Trust Your Organization is Secure. But Can You Verify It?
The Identity Problem Is a Data Exfiltration Problem
Ninety percent of incident response cases involved stolen identities and tokens. That statistic deserves a moment of reckoning. It means the primary method by which attackers access organizational data is not technical exploitation. It is credential theft. Phishing, token hijacking, credential stuffing, session replay — the mechanisms vary, but the outcome is the same. The attacker obtains a legitimate identity and uses it to access data as though they were the authorized user.
Traditional perimeter defenses were designed to distinguish insiders from outsiders. Firewalls, intrusion detection systems, network segmentation — all of these assume that the threat originates from outside the trust boundary and must be identified crossing it. When the attacker logs in with valid credentials, that assumption collapses. They are inside the trust boundary from the first moment. They are using an authorized identity. Their traffic looks legitimate because, from the system’s perspective, it is legitimate.
This is why identity-based attacks are so effective and why the 90% figure is so consequential. The attacker’s actions are indistinguishable from normal user behavior unless the organization has controls that evaluate context beyond identity. Where is this access originating? What time is it? What data classification is being accessed? How much data is being requested? Does this volume, velocity, and pattern match the account’s historical behavior? These are data-layer questions, not infrastructure-layer questions — and most organizations are not asking them.
The implication is direct: even when identity management is strong, even when multi-factor authentication is deployed, even when credentials are rotated regularly, the attacker who obtains a valid session token can exfiltrate data. Identity verification at the point of authentication is necessary but insufficient. Organizations need continuous verification at the point of data access — every request, every query, every download evaluated against the user’s baseline behavior, the data’s sensitivity classification, and the current risk context.
15 Minutes From Disclosure to Exploitation
The report reveals that attackers are now targeting known vulnerabilities within 15 minutes of a CVE being published. That is not a misprint. Fifteen minutes from the moment a vulnerability is publicly disclosed, threat groups are already scanning for and attempting to exploit it.
AI makes this possible. Automated systems parse CVE disclosures, identify the affected software, generate exploitation scripts, and launch scanning campaigns against hundreds of targets simultaneously. The human patch management cycle — evaluate the vulnerability, test the patch, schedule a maintenance window, deploy the update — operates on a timeline of days to weeks. The AI-accelerated exploitation cycle operates on a timeline of minutes.
This acceleration has two implications. First, organizations cannot rely on patch management alone to protect against known vulnerabilities. The window between disclosure and exploitation is now shorter than the time required to evaluate and deploy most patches. Compensating controls — network segmentation, virtual patching, data-centric access restrictions — must be deployable immediately while the patch cycle proceeds. Second, the 15-minute window reinforces the importance of reducing the blast radius of any successful exploitation. If an attacker exploits a vulnerability and gains access to a system, least-privilege data access controls determine whether they can reach sensitive data. Compartmentalization limits how far they can move. Anomaly detection identifies the deviation from normal patterns. The exploitation may succeed, but the exfiltration does not have to.
Trusted Integrations: The Supply Chain Attack You Already Authorized
Nearly one-quarter of incidents over the past year involved attackers abusing trusted integrations to launch attacks against SaaS applications. These are not zero-day exploits against unknown vulnerabilities. These are attacks that leverage connections the organization itself established — OAuth tokens, API integrations, service accounts, and cross-platform data flows that were granted privileged access by design.
Unit 42’s Sam Rubin describes this as a structural shift in supply chain risk that moves beyond vulnerable code to the abuse of trusted links. The distinction matters. Traditional supply chain security focuses on whether the code or components you consume contain vulnerabilities. The new supply chain risk is that the trusted connections between your systems — each one authorized, each one privileged — provide lateral movement paths that attackers can exploit without triggering the alerts designed to catch unauthorized access.
The attack pattern is deceptively simple. An attacker compromises a vendor or partner with trusted access to your SaaS environment. They use that trusted connection to access your data. From your security tools’ perspective, the access looks legitimate because the integration itself is legitimate. The OAuth token is valid. The API call is authorized. The data transfer follows established patterns — until it does not.
Defending against this requires monitoring the data access patterns of every integration, not just the identities of human users. When a trusted integration begins accessing data at volumes, velocities, or patterns that deviate from its established baseline, that deviation should trigger the same alerts and automated responses as anomalous human behavior. Organizations need comprehensive audit trails that document what data each integration accesses, when, at what volume, and for what purpose. And they need the ability to revoke integration access immediately when anomaly detection identifies potential compromise — without waiting for the vendor to confirm whether the integration has been exploited.
Why Traditional Defense Architectures Fail Against AI-Accelerated Attacks
The Palo Alto Networks report reveals a set of attack characteristics that collectively render traditional defense architectures inadequate. Four-times speed acceleration. 72-minute exfiltration windows. Ninety percent identity-based access. Fifteen-minute vulnerability exploitation. Trusted integration abuse. Each of these individually challenges conventional security. Together, they describe an attack landscape that has moved beyond what human-paced, perimeter-focused, periodic-review security operations can manage.
Traditional detection relies on correlating signals across multiple data sources — SIEM logs, endpoint telemetry, network flows — and having analysts investigate the resulting alerts. When attackers dwelled for weeks, that model worked because time was on the defender’s side. With a 72-minute window, time is exclusively on the attacker’s side. The correlation engine may generate the alert. The analyst may never see it before the exfiltration is complete.
Traditional prevention relies on keeping attackers outside the perimeter. When 90% of attacks use stolen credentials, the attacker is already past the perimeter from the moment of initial access. Firewalls, intrusion prevention systems, and network access controls are solving a problem the attacker has already bypassed.
Traditional response relies on identifying the scope of compromise, containing the affected systems, and remediating. When attackers exfiltrate in 72 minutes, there is nothing left to contain. The data is gone. The response becomes forensic investigation and breach notification — not active defense.
The defense model that matches these attack characteristics requires three capabilities operating simultaneously. Real-time data access monitoring that identifies anomalous patterns within seconds. Automated policy enforcement that blocks suspicious access without human intervention. And continuous verification that evaluates every data access request against the user’s baseline, the data’s classification, and the current threat context. This is not a perimeter model. It is a data-centric model — one that assumes the attacker is already inside and focuses on preventing the exfiltration rather than the initial access.
What Organizations Must Do to Match AI Attack Speed
The Palo Alto Networks report is based on more than 750 real-world incidents. The findings demand operational responses, not strategic planning exercises. Here is what organizations should do now.
Deploy real-time data access monitoring with automated anomaly detection. The 72-minute exfiltration window eliminates the viability of periodic log reviews and manual alert triage. Organizations need continuous monitoring that identifies anomalous data access patterns within seconds — unusual download volumes, atypical data classifications being accessed, access from unfamiliar locations or devices, rapid-fire query patterns. Anomaly detection must operate at machine speed because the attacks now operate at machine speed.
Implement automated policy enforcement that blocks exfiltration without human intervention. When anomaly detection identifies suspicious data access, the response must be automated. Restrict access, require step-up authentication, block downloads, revoke sessions. The 72-minute window does not allow time for an analyst to receive the alert, investigate the context, determine the severity, and make a blocking decision. Automated enforcement must execute in milliseconds while simultaneously alerting the security team for investigation.
Move beyond identity verification to continuous, context-based data access controls. Authentication at the front door is insufficient when 90% of attacks use stolen credentials. Every data access request must be evaluated against context: the data classification being requested, the user’s historical behavior patterns, the access location and device, and the volume and velocity of requests. Valid credentials should not be sufficient to access high-sensitivity data without additional verification based on these contextual factors. This is where attribute-based access control — evaluating identity, data classification, context, and risk simultaneously — replaces the static binary of “authenticated / not authenticated.”
Enforce least-privilege data access for every human user, AI agent, and integration. The blast radius of any successful credential theft or integration compromise is determined by how much data the compromised identity can reach. Least-privilege data access — limiting each identity to the minimum data classifications required for its function — is the single most effective control for reducing the impact of identity-based attacks. Audit every user, agent, and integration’s current data access against what they actually need. The Kiteworks Private Data Network enforces these boundaries through a governed gateway that ensures no identity — human or AI — can reach data beyond its authorized purpose.
Monitor trusted integrations with the same rigor as human users. Nearly one-quarter of incidents involved trusted integration abuse. Every integration’s data access patterns must be monitored continuously. Behavioral baselines should be established for each integration. Deviations — unusual volumes, new data categories, off-schedule access — must trigger the same automated responses as anomalous human behavior. Organizations must be able to revoke integration access immediately when compromise is suspected.
Build audit trails that enable 72-minute incident response, not 42-day detection. Comprehensive audit trails must document every data access event across every channel — email, file sharing, SFTP, managed file transfer, APIs. These trails must be searchable in real time, not in batch processing cycles. When an incident is detected, the audit trail must immediately show what data was accessed, by whom, when, from where, and what was done with it. The forensic timeline must be available in minutes, not weeks, because the attack completed in minutes, not weeks.
The Attack Timeline Has Changed. Your Defense Timeline Must Change With It.
The Palo Alto Networks report documents a fundamental shift in the attack timeline. Attackers are four times faster. Data exfiltration occurs in 72 minutes. Stolen credentials appear in 90% of cases. Vulnerabilities are exploited within 15 minutes of disclosure. Trusted integrations are weaponized as lateral movement paths.
Every one of these findings points in the same direction: defense must operate at the data layer, at machine speed, in real time. The perimeter model that assumes attackers are outside has failed against credential-based access. The detection model that relies on human-paced analysis has failed against 72-minute exfiltration. The response model that focuses on containment has failed against attacks that complete before containment begins.
What remains is a data-centric defense model. Continuous monitoring of every data access event. Automated enforcement that blocks suspicious access in milliseconds. Context-based controls that evaluate every request against behavior baselines and data sensitivity. Least-privilege access that limits the blast radius of any compromise. And comprehensive audit trails that make incidents visible the moment they begin, not weeks after they end.
The attackers have changed their timeline. Organizations that do not change theirs will discover what 72 minutes of undetected access looks like in their next breach notification.
To learn how Kiteworks can help, schedule a custom demo today.
Frequently Asked Questions
Stolen credentials and session tokens appear in 90% of Palo Alto Networks’ incident response cases — meaning the attacker has already passed the authentication gate. Once inside, their access patterns look identical to legitimate users until they deviate. Standard multi-factor authentication and identity management controls verify identity at the point of login, but they don’t continuously evaluate what the authenticated session does next. Stopping credential-based exfiltration requires continuous verification at the point of data access: every request evaluated against the data’s sensitivity classification, the user’s historical behavior patterns, access location and device, and the volume and velocity of requests. Valid credentials should not be sufficient to access high-sensitivity data if the contextual profile doesn’t match. This is the gap between perimeter security and data-centric security.
A SIEM-based detection model correlates signals and generates alerts for human analysts to investigate. With a 72-minute exfiltration window, that model allows the attack to complete before any analyst responds. A data-centric defense model replaces the human-in-the-loop for enforcement decisions with three automated capabilities operating simultaneously: real-time anomaly detection that identifies deviations within seconds, automated policy enforcement that blocks suspicious access without waiting for human analysis, and attribute-based access control that evaluates every data request against identity, data classification, behavioral baseline, and current risk context. The key distinction is where enforcement happens — not at the network perimeter or after-the-fact in a SIEM console, but at the moment of data access, before the exfiltration occurs.
When an attacker obtains a valid credential — through phishing, token hijacking, or session replay — they inherit whatever data access that identity holds. If the compromised identity has broad access to sensitive systems, the exfiltration scope is broad. Least-privilege data access limits each identity to the minimum data classifications required for its defined function, regardless of what systems it can technically authenticate to. A stolen credential for an HR system account can only reach HR data — not financial records, engineering files, or customer PII. This compartmentalization doesn’t prevent the initial compromise, but it makes the difference between a narrow, contained incident and a catastrophic one. Combined with DLP controls that prevent bulk downloads and anomaly detection that flags unusual access volume, least-privilege access is the most effective single control for reducing the impact of the identity-based attacks that now dominate the threat landscape.
Trusted integrations — OAuth tokens, API connections, and service accounts — represent pre-authorized privileged access that attackers inherit when they compromise a vendor or partner. Traditional access controls don’t flag this activity as suspicious because the connection is legitimate by design. Effective governance requires treating each integration as a distinct identity with its own behavioral baseline: expected access volume, data categories accessed, access schedule, and destination patterns. Any deviation — unusual data volumes, access to new record types, off-schedule queries, data flowing to unexpected destinations — should trigger the same automated responses as anomalous human behavior. Organizations also need the ability to immediately revoke integration access without requiring vendor confirmation, and comprehensive audit trails documenting every integration data access event for supply chain risk review and breach notification evidence.
An audit trail that supports real-time incident response must capture six elements for every data access event: the identity (user, AI agent, or integration) making the request; the data classification and specific records accessed; the timestamp and session duration; the source location and device; the action taken (read, download, share, transmit); and the destination if data left the controlled environment. Critically, these records must be queryable in real time — not batch-processed overnight. When an anomaly triggers an alert, the security team needs to immediately see the full access timeline for the suspected session, not wait hours for log aggregation. Comprehensive coverage across every channel — managed file transfer, SFTP, email, APIs, and web applications — ensures there are no blind spots where exfiltration can occur outside the forensic record. Under GDPR‘s 72-hour breach notification requirement and equivalent mandates in HIPAA and sector frameworks, this forensic capability is also the foundation of regulatory compliance — not just operational defense.
Additional Resources
- Blog Post Zero Trust Architecture: Never Trust, Always Verify
- Video Microsoft GCC High: Disadvantages Driving Defense Contractors Toward Smarter Advantages
- Blog Post How to Secure Classified Data Once DSPM Flags It
- Blog Post Building Trust in Generative AI with a Zero Trust Approach
- Video The Definitive Guide to Secure Sensitive Data Storage for IT Leaders